Kangaroo Twelve Sponginess

[d3x0r]

Although this is probably something I'll have to do myself, I use the K12 algorithm as a stream of bits; and as far as I can tell the existing API you've implemented only returns one fixed size result?
One of the features of the sponge function is you can just keeping wringing out the same sponge for more and more bits.

https://github.com/d3x0r/srg (salty-random-generator)

[d3x0r]

It also turns out you can add entropy to the random bits inbetween squeezes....

(soak) (initial entropy)

• (1)run out of bits. ask for more; soak.
• (squeeze)
• goto 1...

it is also nice if the internal state can be kept inbetween stages... a simple PoW algorithm can soak the data, clone the entropy states, and then update with just a nonce and test the result without re-soaking the data.

[paulmillr]

Sorry for late response, took some time to research question.

Although this is probably something I'll have to do myself, I use the K12 algorithm as a stream of bits; and as far as I can tell the existing API you've implemented only returns one fixed size result?
One of the features of the sponge function is you can just keeping wringing out the same sponge for more and more bits.

Starting from now, shake/cshake/blake3/k12/m14 and all xof variants of SP800-185 functions support streaming API:

const h = blake3.create().update('test');
const digest_first_byte = h.XOF(1);
const digest_first_10_bytes = h.XOF(10);

// OR
const buf = new UintArray(10);
h.XOFInto(buf); // write buf.length bytes into buf
consume(buf);

h.XOFInto(buf);
consume(buf);

It also turns out you can add entropy to the random bits inbetween squeezes....
(soak) (initial entropy)
(1)run out of bits. ask for more; soak.
(squeeze)
goto 1...

We've implemented KeccakPRG (see sha3-addons.ts) for these purposes,
it allows to use keccak as duplex stream, writing and reading to it at same time via .feed/.fetch API.
However it is true only for sponge functions like keccak, K12 is tree-like construction on top of keccak:
K12 = keccak(first_8kb||keccak(second_8kb)||keccak(third_8kb))
Which means you can read random bytes for first 8kb of entropy immediately, but for second 8kb of entropy you need to wait until whole 8kbs are written.
And you will get only 32 random bytes from second chunk, which looks like pretty strange construction for PRG.

it is also nice if the internal state can be kept inbetween stages... a simple PoW algorithm can soak the data, clone the entropy states, and then update with just a nonce and test the result without re-soaking the data.

All hash functions have clone API for state restoration via '.clone' method, there is also unsafe ._cloneInto method to re-use existing state:

const tmp = hash().create().update('a')
const clone = tmp.clone().update('b')
tmp.update('c')
assert.deepStrictEqual(clone.digest(), hash('ab'))
assert.deepStrictEqual(tmp.digest(), hash('ac'))
tmp._cloneInto(clone);
assert.deepStrictEqual(tmp, clone);